Actions
List Incidents
Gets a list of incident objects that Microsoft Defender XDR (formerly known as 365 Defender) created to track attacks in an organization.
- Least privileged Microsoft Graph permission to access the action via application:
SSecurityIncident.Read.All*
. - Higher privileged Microsoft Graph permission to access the action via application:
SecurityIncident.ReadWrite.All
.
To learn more, visit the Microsoft Defender XDR documentation.
Parameters
Parameter | Description |
---|---|
Count | The $count query parameter is used to retrieve the count of the total number of items in a collection or matching an expression. For more information on using $count , refer to Microsoft Query Parameters Documentation. |
Expand | The $expand query string parameter is used to include the expanded resource or collection (like alerts ) referenced by a single relationship (navigation property) in your results. For more information on using $expand , refer to Microsoft Query Parameters Documentation. |
Filter | The $filter query parameter is used to retrieve a subset of a collection. For more information on using $filter , refer to Microsoft Query Parameters Documentation.The following properties are supported:- assignedTo |
classification
determination
createdDateTime
lastUpdateDateTime
severity
status
| | Skip | The$skip
query parameter is used to set the number of items to skip at the start of a collection. For more information on using$skip
, refer to Microsoft Query Parameters Documentation. | | Top | The$top
query parameter is used to specify the number of items to be included in the result. For more information on using$top
, refer to Microsoft Query Parameters Documentation. |
Example Output
Workflow Library Example
List Incidents with Microsoft Defender Xdr and Send Results Via Email
Preview this Workflow on desktop
Was this page helpful?